
CLAIMS 

A Web server input string screening method comprising: 
:rmining an attack pattern that can be used to attack a Web server; 
definW a search pattern that can be used to detect the attack pattern, the 
search pattern being defined in a manner that permits variability among its 
constituent parts\ 

receiving aiNnput string that is intended for use by a Web server; 
evaluating the input string using the search pattern to ascertain whether the 
attack pattern is present; and 

implementing a remedial action if an attack pattern is found that matches 
the search pattern. \ 

2. The Web server input sfring screening method of claim 1, wherein: 
said defining comprises' defininY a plurality of different search patterns; and 
said evaluating comprises evaluating the input string using said plurality of 

different search patterns. \ 

3. The Web server input string screening method of claim 1 5 wherein the 
search pattern is specified as a regular expressions 

4. The Web server input string screening method of claim 1 5 wherein 
said receiving of the input string comprises receiving a uRL, 
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\ 5u The Web server input string screening method of claim 1, wherein 
said receiving of the input string comprises receiving a portion of an HTTP verb 
request. \ \ 



6. ThbAWeb server input string screening method of claim 1, wherein 
said implementing\comprises denying a request that is associated with the input 
string. 



7. A Web server input string screening method comprising: 
defining one or m&je Search patterns that comprise literal characters and 
special characters, wherein \he literal characters indicate exact characters in an 
input string that is intended foryeceipt by a Web server, and the special characters 
indicate variable characters in a\ input string that is intended for receipt by the 
Web server, the search patterns beiW usable to search for an attack pattern that 
can be used to attack the Web server; atod 

storing the one or more searchVpattems in a memory location that is 



in\i 



accessible to a screening tool for evaluating anMnput string that is intended for 
receipt by the Web server. 



8. The Web server input string screening method of claim 7 further 
comprising: 

retrieving a search pattern from the memory location; and 
evaluating an input string with the screening tdol by ascertaining whether 
the input string includes at least a portion that matches th^Vsearc\pattern. 
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9. \ The Web server input string screening method of claim 8, wherein the 
evaluating G^the input string comprises evaluating a URL. 

10. \The Web server input string screening method of claim 8, wherein 
the evaluating d\the input string comprises evaluating a portion of an HTTP verb 
request. 

11. The W^b server input string screening method of claim 7 further 
comprising implementing the screening tool as an extension for an existing Web 
server. 



12. The Web server input string screening method of claim 7 further 
comprising implementing the^screening^tool as an ISAPI extension. 



13. A Web server inpu^string screening method comprising: 
defining one or more search patterns\that are specified as a regular 

expression, the search patterns beinjkusable to search for an attack pattern that can 

be used to attack the Web server; and\ 

storing the one or more search patterns in a\memory location that is 

accessible to a screening tool for evaluating an input string that is intended for 

receipt by the Web server. 



14. The Web server input string sheening method of claim 13 further 
comprising: 

retrieving a search pattern from the memory location; and 
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.evaluating an input string with the screening tool by ascertaining whether 
the inpVkstring includes at least a portion that matches the search pattern. 

15. Nsfhe Web server input string screening method of claim 14, wherein 
the evaluating oWhe input string comprises evaluating a URL. 

16. The W^byserver input string screening method of claim 14, wherein 
the evaluating of the input\string comprises evaluating a portion of an HTTP verb 
request. 

17. A computer-readable medium having computer-readable 
instructions thereon which, whe^ executed by a computer, perform the method of 
claim 14. 



18. A Web server input string\creening tool comprising: 
a pattern matching engine that is c^figured to receive an input string that 
is intended for use by a Web server and evaluate the input string to ascertain 
whether it likely constitutes an attack on the W^> server; and 

one or more patterns that are usable b>\the pattern matching engine to 
evaluate the input string, the patterns being defined irNa manner that permits 
variability among the constituent parts of the one or more patterns. 



19. The Web server input string screening too\of claim\l8, wherein the 
one or more patterns are specified as regular expressions. 
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i20. ; \The Web server input string screening tool of claim 18, wherein the 
pattern ^tching engine is configured to receive an input string that comprises a 
URL. 



21. The We{) server input string screening tool of claim 18 5 wherein the 
pattern matching engiri^ is configured to receive an input string that comprises a 
portion of an HTTP verb\request. 



22. One or mom computer readable media having computer-readable 
instructions thereon which, \hen executed by a computer perform the following 
steps: 

receiving an input string^hards intended for use by a Web server; 
evaluating the input string using a search pattern to ascertain whether the 
input string contains an attack pa\tern that can be used to attack the Web server, 
the search pattern comprising literal characters and special characters, wherein 
literal characters indicate exact characters in the input string, and the special 
characters indicate variable characters^ the inpu^string; and 

implementing a remedial action\if an attack^pattern is found that matches 
the search pattern. 



23. The computer-readable rribdia of claimv 22, wherein said 
implementing comprises denying a request tlW is associated with the input string. 
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24. The domputer-readable media of claim 22 , wherein said receiving 
compMses receiving a URL. 



25\ The computer-readable media of claim 22 , wherein said receiving 
comprises receiving an input string that is associated with an HTTP verb request. 



26. \^colleqtion of Web server screening patterns comprising: 
a memory* and 

a plurality ofp^tterns stored in the memory, the patterns being useable to 
screen input strings thdt are intended for use by a Web server, individual patterns 
being defined in a mamter that permits variability among their constituent parts. 



27. The collection\of claim 26, wherein the patterns are specified as 
regular expressions. 



28. The collection of claim 26, wherein the collection is adapted for 
addition to, deletion of, or modification of patterns. 



29. The collection of claim 26, wherein the patterns are configured for 
use in screening URLs that are intended for use by a Web server. 



30. The collection of claim 26, wherein the\patterns are configured for 
use in screening input stiings associated with HTTP^verb requests that are 
intended for use by a Web server. 
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31. The col|eetion_of claim 26 configured for use by an IS API 
extension. 
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